VMware NSX 4.x Distributed Firewall Security Technical Implementation Guide
Overview
| Version | Date | Finding Count (6) | Downloads | ||
| 1 | 2024-12-13 | CAT I (High): 1 | CAT II (Medium): 4 | CAT III (Low): 1 | |
| STIG Description |
| This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. |
Findings - All
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-265633 | The NSX Distributed Firewall must configure an IP Discovery profile to disable trust on every use method. | A compromised host in an enclave can be used by a malicious platform to launch cyberattacks on third parties. This is a common practice in "botnets", ... | |
| V-265618 | The NSX Distributed Firewall must limit the effects of packet flooding types of denial-of-service (DoS) attacks. | A firewall experiencing a DoS attack will not be able to handle production traffic load. The high utilization and CPU caused by a DoS attack will also... | |
| V-265619 | The NSX Distributed Firewall must deny network communications traffic by default and allow network communications traffic by exception. | To prevent malicious or accidental leakage of traffic, organizations must implement a deny-by-default security posture at the network perimeter. Such ... | |
| V-265628 | The NSX Distributed Firewall must be configured to inspect traffic at the application layer. | Application inspection enables the firewall to control traffic based on different parameters that exist within the packets such as enforcing applicati... | |
| V-265630 | The NSX Distributed Firewall must configure SpoofGuard to restrict it from accepting outbound packets that contain an illegitimate address in the source address. | A compromised host in an enclave can be used by a malicious platform to launch cyberattacks on third parties. This is a common practice in "botnets", ... | |
| V-265612 | The NSX Distributed Firewall must generate traffic log entries that can be sent by the ESXi hosts to the central syslog. | Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or... |